USG5100 as headquarters constitutes IPSEC VPN with usg2110 as branch, success to ping from branch-end to some address of internal network in headquarters. But if tunnel constituted, there is no way to ping from some address of internal network of headquarters to branch-end. The edition of USG is V100R005SPC300.
1、 there is no port quick forwarding issue because of the device is USG5100, and NAT hasn’t configured on device, no problems with other configuration.
2、 Ping from internal network of headquarters to internal network of branch-end, review sessions on USG device as below:
[USG5100]disp firewall session table
Current Total Sessions : 9
esp VPN:public --> public 220.127.116.11:0-->18.104.22.168:0
tcp VPN:public --> public 192.168.10.33:1058-->192.168.1.112:3389
icmp VPN:public --> public 192.168.1.112:1024[22.214.171.124:1024]-->192.168.10.1:2048
netbios-data VPN:public --> public 192.168.1.112:138[126.96.36.199:138]-->192.168.1.255:138
Finding out that the session to peer-end was transformed by NAT, but NAT of outbound direction hasn’t been configured on USG5100, this address couldn’t access the external network neither.
3、 Finding out that address mapping has been done for this address by user after review configuration again.
nat server 0 protocol tcp global 188.8.131.52 3389 inside 192.168.1.112 3389
trying to add “no-reverse” after this configuration command, success to ping private network address of peer-end , it says that IPSEC data flow matches the reverse session of nat server.
1、 interface quick forwarding matters.
2、 NAT of outbound direction hasn’t rejected data flow interested in yet.
Matching mapping entire ip addresses if some address has reverse session at outbound direction, not mapping to detail port exactly even configuring mapping based on port.